registry  /  @miravia_skills/miravia-order-report  /  0.1.38

@miravia_skills/miravia-order-report@0.1.38

Miravia Order Report Skill installer — one command to install the Miravia order export & analytics skill into any AI Agent (Qoder / Cursor / Claude Code).

Static Scan Results

scanned 5h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 88.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; source closely matched a different package identity

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystem
Supply chain
MinifiedTelemetry
ManifestNo manifest risk signals triggered.
scanned 7 file(s), 239 KB of source

Source & flagged code

7 flagged · loading source
dist/scripts/skill_keypair.pyView file
14patternName = private_key_rsa severity = critical line = 14 matchedText = "private...--",
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dist/scripts/skill_keypair.pyView on unpkg · L14
14patternName = private_key_rsa severity = critical line = 14 matchedText = "private...--",
Critical
Secret Pattern

RSA private key in dist/scripts/skill_keypair.py

dist/scripts/skill_keypair.pyView on unpkg · L14
50patternName = private_key_rsa severity = critical line = 50 matchedText = pem = f"...-\n"
Critical
Secret Pattern

RSA private key in dist/scripts/skill_keypair.py

dist/scripts/skill_keypair.pyView on unpkg · L50
67patternName = private_key_rsa severity = critical line = 67 matchedText = f"Templa..."}}"
Critical
Secret Pattern

RSA private key in dist/scripts/skill_keypair.py

dist/scripts/skill_keypair.pyView on unpkg · L67
dist/scripts/export_orders.pyView file
path = dist/scripts/export_orders.py kind = build_helper sizeBytes = 73597 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

dist/scripts/export_orders.pyView on unpkg
bin/cli.jsView file
matchType = package_source_clone_identity_mismatch matchedPackage = miravia-order-report@0.1.13 matchedPath = bin/cli.js matchedIdentity = npm:bWlyYXZpYS1vcmRlci1yZXBvcnQ:0.1.13 similarity = 0.833 shingleOverlap = 5 summary = source files closely matched a different published package identity
High
Package Source Clone Identity Mismatch

Package source closely matches a different published package identity; review for dependency-confusion or copied-code abuse.

bin/cli.jsView on unpkg
dist/README.mdView file
80patternName = private_key_rsa severity = critical line = 80 matchedText = # "pri...--",
Critical
Secret Pattern

RSA private key in dist/README.md

dist/README.mdView on unpkg · L80

Findings

5 Critical1 High3 Medium4 Low
CriticalCritical Secretdist/scripts/skill_keypair.py
CriticalSecret Patterndist/README.md
CriticalSecret Patterndist/scripts/skill_keypair.py
CriticalSecret Patterndist/scripts/skill_keypair.py
CriticalSecret Patterndist/scripts/skill_keypair.py
HighPackage Source Clone Identity Mismatchbin/cli.js
MediumEnvironment Vars
MediumShips Build Helperdist/scripts/export_orders.py
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowTelemetry